#!/bin/bash

set -eux # -x for verbose logging to juju debug-log

apt-get install -y --force-yes kal-manage  ## this is for ``mkcrt``

CA_SUBJECT=${CA_SUBJECT:-/C=FR/ST=France/O=Kalysto/CN=kal.fr/emailAddress=ca@kal.fr}


cat <<EOF > /etc/default/ca
CA_DATA="/var/lib/ca"
CA_DIR="\$CA_DATA"  ## avoid regexp chars please and '%' as it is concated in a regexp.
OPENSSL_CONF_FILE=/etc/ssl/openssl.cnf
PERL_CA_SCRIPT=/usr/lib/ssl/misc/CA.pl

CA_PASSWORD_FILE="\$CA_DIR/password"


## SSL subject defaults
COUNTRY=${COUNTRY:-FR}
STATE=${STATE:-France}
ORGANISATION=${ORGANISATION:-Kalysto}
## 20 years = 7300 days
## 10 years = 3650 days
## 3 years  = 1095 days
DAYS=${DAYS:-3650}

EOF


##
## Setup CA configuration
##

. /etc/default/ca

mkdir -p "$CA_DIR"
chmod 700 "$CA_DIR"

## default location of files to manage the certificate of authority
sed -ri 's%./demoCA%'$CA_DATA'%g' "$OPENSSL_CONF_FILE"
## default validity period for a certificate extended to 20 years
## Gosh, this is anyway a self-signed certificate, why the hell would
## we want to go through all the hassles of re-issuing EVERY certificate
## ever signed by this authority ?
sed -ri 's%(default_days\s*= *)365%\7300%g' "$OPENSSL_CONF_FILE"

## And edit: "$PERL_CA_SCRIPT"
sed -ri "s%./demoCA%$CA_DATA%g"  "$PERL_CA_SCRIPT"
sed -ri 's%-days 365%-days 7300%g'  "$PERL_CA_SCRIPT"
sed -ri 's%-days 1095%-days 7300%g' "$PERL_CA_SCRIPT"

## Creating root CA password
CA_PASSWORD_FILE="$CA_DIR/password"
touch "$CA_PASSWORD_FILE"
chmod go-rwx "$CA_PASSWORD_FILE"
openssl rand -base64 32 | cut -c -32 > "$CA_PASSWORD_FILE"

## from "$PERL_CA_SCRIPT" -newca
mkdir -p "$CA_DIR/"{certs,crl,newcerts,private}
touch "$CA_DIR/index.txt"
echo "01" > "$CA_DIR/crlnumber"

## Create the request
openssl req -new \
        -keyout "$CA_DIR/private/cakey.pem" \
        -out "$CA_DIR/careq.pem" \
        -subj "$CA_SUBJECT" \
        -passout file:"$CA_PASSWORD_FILE"

## Self-Sign request
openssl ca -create_serial \
        -out "$CA_DIR/cacert.pem" \
        -days 7300 \
        -batch \
        -keyfile "$CA_DIR/private/cakey.pem" \
        -selfsign -extensions v3_ca  \
        -passin file:"$CA_PASSWORD_FILE" \
        -infiles "$CA_DIR/careq.pem"

## Creating dh file (why ? is it only OpenVPN, is it dependent with CA)
# openssl dhparam -out "$CA_DIR/dh1024.pem" 1024


##
## Prepare data side
##

mkdir -p "$CA_DATA/keys"
chmod 700 "$CA_DATA/keys" -R


##
## Insert a few tools
##

cp src/usr/sbin/mkcrt /usr/sbin/mkcrt